Exchange Quick Audit: mailboxes created in last 7 days

by Bharat Suneja

I remember writing plenty of scripts to report on different things such as user accounts created every week/month, user accounts modified, accounts disabled, etc. for SOX compliance. Some of those scripts used to be rather long, and in hindsight— involved a lot more lines of code than an administrator should have to write. Although I had a lot of fun (and still do… albeit with PowerShell), I would totally understand if you said you never wanted to hear about things like Wscript, VBScript, WSH, COM objects, ADSI, and WMI ever again.

Let’s take a look at how the shell (EMS) makes it so easy.

In this example, we need to get a list of all accounts created in the last 7 days. When a user account is created, its whenCreated attribute gets stamped with the time of creation. Here’s how it can be used:

Similarly, when an AD object is changed, it’s whenChanged attribute gets stamped with the time the change was made. This makes it easy to determine which objects were changed in a given period, a useful tool for auditing/reporting as well as troubleshooting. In the following example, we determine if any Receive Connectors were changed in the last 7 days.

Update 8/18/2011: Exchange 2010 includes the WhenMailboxCreated property for mailboxes, which makes this easier. The property doesn’t change when a mailbox is moved to another mailbox database.

The good news is, WhenMailboxCreated is a filterable property! This means we don’t need to run Get-Mailbox -ResultSize Unlimited to retrieve all mailboxes and then pipe the results to the Where-Object cmdlet to do the filtering. The filtering can occur on server-side.

Thanks for sharing nice scripts to report on different things such as user accounts created every week or month, user accounts modified, accounts disabled etc for SOX compliance. You can try automate utility ( http://www.mailboxaccessauditing.com/ ) to find out the mailbox creation date.